Chapter 9: How to Safely Store Your Coins

Keeping your coins safe is one of most important goals in the crypto sphere. With increasing popularity and price of Bitcoin and other cryptocurrencies, it is even more important than ever. Whenever there is money to be made easily, you can be assured, that someone is willing to try. There are countless attempts to steal money from mostly new users. A lot of people are getting scammed or hacked every day, which is why some basic understanding of Internet security is crucial to keep your funds safe. Picking the right investment to actually make some money is hard enough; losing money to a scammer makes everything just unnecessarily frustrating. I know a lot of people who have been in the crypto sphere for many years, and most of them lost funds due to a preventable reason. I can only strongly advise going through the following pages attentively. But those of you who prefer a short summary will find the most important points at the end of the chapter.

9.1 Exchanges

The first thing you have to understand is that as long as you don’t own the private keys, you don’t own the coins. It might be a shocking realization, but you actually own none of the funds you hold on an exchange. As long as you don’t own the private keys to the corresponding coins, which is the case for every traditional exchange like Coinbase, Binance or  Bitfinex, you basically own nothing. You might have access to your coins, as long as you have your login credentials, but in case of any event that leads to a shut-down of the respective exchange, you won´t be able to access your coins anymore.the actual ownership is still not yours. If you have attentively read the chapter about some of the major milestones in crypto, you have surely noticed how much Bitcoin get stolen due to exchange hacks. Holding your coins on exchanges is one of the most common reasons for losing money. If the exchange gets hacked or the owner of the exchange runs away with the funds, there is no way for you to access and withdraw your coins. The simple rule here is to keep on the exchange only those funds that you are willing to lose.

Even though I don’t want to demonize smaller exchanges, you need to be especially careful when using them. Big exchanges make millions of dollars with trading or listing fees. Binance, for example, managed to make the profit of nearly $200 million in Q1 2018. That is even higher than the profit of the Deutsche Bank.41 Therefore, the risk of the exchange owners going offline is fairly small, since they are well known and make a fortune just by keeping the exchange running. But that doesn’t protect your funds in the event of a hack. Although it is safe to assume that every major exchange is doing its best to secure the users’ funds, that doesn’t make your funds safe. The more funds are traded and held on the exchange, the more rewarding it gets to search for possible ways and exploit vulnerabilities.

Earlier this year, Coincheck, a big Japanese exchange, lost more than $500 million worth of cryptocurrency due to a hack.42 This was only a very small part in the history of lost user funds, and you can be sure that something like this will happen again in the future. The lesson to be learned here is that if you don’t plan to actually trade with your assets, you should withdraw them to one of your own wallets. This greatly reduces your risk of losing money—at least on exchanges.

9.2 Your login credentials

There are some basic principles you should follow, navigating through the Internet and especially if you are involved in crypto. One of the worst things to do generally speaking is to use the same email and password over and over again. Not every page you sign up for is safe, and it’s never guaranteed that they are not selling your data. Needless to say, there is always the risk that your data is revealed in case of a hack. One good fake email might be enough to give away access to all your important accounts.

One of the first things to improve your security would therefore be the use of unique passwords for every service you need to register for. As long as you aren’t a genius with the ability to memorize dozens of different complex passwords, this might be the right time to take a look at a password manager. There are different ones on the market; nearly all require you to set up a master password at the beginning. This password will give you access to all your saved passwords; therefore, it’s best to choose a really strong and complex one. Make at least one written copy of the password and store it at a very safe place. Now you can safely store your new unique passwords. I know this is a lot of extra work, but you can trust me that it’s definitely worth it.

To improve the level of security further, it`s best to use different emails for different purposes. I would recommend using a new email for every exchange you register on. This is getting more and more important, since most exchanges now require you to undergo the KYC procedure. Exchanges will handle very sensible data linked to your email. This data and pictures could, in the worst case scenario, be used to gain access to nearly every other account or service you ever signed up for. It is therefore crucial to avoid this scenario by being as cautious as possible, especially since most ICOs will need you to undergo KYC too. The safest way would be to use a new email for every new ICO as well, since the chance of an ICO being a scam and the possibility that your very sensible data being unveiled are even higher.

At this point, you should really see power and advantages of a good password manager. Keeping every email and corresponding password in addition to its usage in mind is nearly impossible.

9.3 2-Factor authentication

In addition to the basic handling of your login credentials described above, 2FA is a huge step forward in security. There are different ways to use it, but in my eyes, one option outnumbers the others. Some services will actually force you to set up 2FA; others will mostly have at least the possibility to enable it. One possibility is to upload your phone number to receive one-time codes upon sign-up to the exchange or website. I would not advise to use this method because it is less secure and involves sharing more sensible data once again.43 The probably best way to enable 2FA is to use an app like Authy or Google Authenticator. It is very easy to use, and I will guide you quickly through the most important steps of using Google Authenticator.

After downloading and installing the app, you are nearly ready to go. It is important to know that if you set up 2FA and lose access to your phone, making it completely impossible to restore the app, there is still a way to unlink or deactivate 2FA to access your funds. But this is still very hard work because you will have to prove that the account you would like to access is actually yours. That might take weeks, since the support of an exchange, for example, will mostly need to verify you manually, which makes the process very painful. So, make sure that you are careful in executing the necessary steps to set up 2FA in your accounts. Most exchanges or websites will have the option of enabling you to have it displayed on your account page, or even prompt you to set it up right away. You will see a QR code and a backup code beneath it. This backup code is basically primed to be stored very carefully. This code is more than designated to be stored somewhere really safe. Please don’t just copy and store it as part of some file on your computer, which won’t make it safe at all. Even in the digital age, the old school pen-and-paper way may be the best option for you. If you want to, you can use your newly installed password manager once again to safely store your backup keys. As your password manager gets filled up with more and more sensible data, losing access to it would be devastating. Hence, I would advise you to make a backup of all the data from the password manager from time to time and store it in your vault or some other safe place.

Coming back to the process of 2FA, you will now have two possibilities to pair your device with the web service. After clicking on the plus symbol in the app, you can choose between the options to scan the provided QR code or type in the backup code by hand. Both options are totally equal, but scanning the QR with your phone might be the easier one. After setting it up, you will see a six-number code showing up in your app. Those are one-time passwords that will change every 30 seconds. To confirm that you set it up correctly and everything is working, the website will ask you to type in the one-time password. If you are unsure that you will be able to type in every digit before the time ends, just wait a few seconds till the next full cycle begins. Congratulations! You’ve successfully improved your security immensely. You can now set up the 2FA at every important service, like your mail account or cryptocurrency exchange, by just repeating the described steps above. Don’t forget to backup every single code before scanning the QR code and confirming the process with your one-time digital combination. Always keep in mind that the backup code will give everyone owning it the possibility to gain access to the one-time passwords easily. It might just take one malicious downloaded software to exploit all the files on your computer. Really make sure to treat the backup codes with care and store them offline at a secure place. After setting up 2FA, you will now always be asked, to type in your one-type password upon login to an exchange, mail account, or any other web service. When asked whether you want to save your login data for further visits, do NOT do it. This sounds inconvenient, and I can assure you that it definitely is. However, you will learn on the following pages why this is important to further enhance your security.

9.4 Keeping your computer secure

Most people won’t believe how easy it is to access the data stored on your computer. As the vast majority of stolen funds or data is actually attributable to the user’s mistakes, the end-user education has become the most important goal over the recent years. Some of the most commonly used tricks and techniques to access private information in any form are the following:44, 45

  • Keylogger
  • Malware (Trojans, Viruses, Worms)
  • Phishing
  • Malvertising

For nearly all available tricks or techniques to work, at least some kind of personal action is required from the end-user. Malvertising, for example, is getting more and more important with the rise of social media. The idea behind it is pretty simple. The hacker would include a certain advertisement banner on a website or app, which redirects the user to a malware-infected website he owns.

But as already mentioned, this would require the user to click on the link in the first place. As most security breaches involve downloading and executing a certain program, it can generally be advised, not to download anything from the sources you don’t know. Some of the famous examples most of you will already have encountered are the supposedly outdated flash player or your virus-infected computer. In both cases, you are prompted to download a program to fix the respective problem. If you use the Internet regularly, you will definitely know that neither your computer has been infected nor your flash plyer is outdated. Even though you might need to update your flash player at a certain point, it is either done automatically or through the original Adobe homepage.

Malware, including Keylogger, is often built into other programs. The execution of the supposedly non-harmful program will therefore install the unwanted malware as well. Once installed, a keylogger might copy everything you type (hence the name) and share it with the hacker. If you visit some of your websites to login, the hacker will easily get access to your written login credentials.

Trojans, for example, may enable the hacker to directly access your computer and any data saved on it. This includes every photo, document, or information stored.46 It is therefore crucial, especially if you are doing anything with crypto, to be very sensitive regarding your overall security. As a first step, keeping your antivirus software up to date is a good thing to start with. As hackers mostly focus on widely used programs to maximize their potential victims, it is generally advised to update any program or web browser plugins as soon as the newer version is available.47 If you are unsure whether the software you’ve downloaded is safe to use, you can always use the website: <https://www.virustotal.com/en/&gt; to check. This is a great addition to your local antivirus software, especially since it’s totally free. The uploaded file is analyzed by more than 70 antivirus scanners, and then you’re presented with the results.52

As a general concept, the scammers impersonate famous companies like Amazon or eBay with fake emails. The attempts can be very creative, and sometimes it’s hard for even an experienced user to spot the difference. Some emails will tell you that your payment was rejected, your account has been compromised (how ironic) or that you’ve just received some free Amazon Prime membership. All of them have one thing in common: At a certain point, they will require you to open a provided link and login a fake website. With you signing in, the hacker gets everything needed to access your account. This is even worse if you use the same password or email all over again. Please don’t EVER do this. A short quote to put all this in perspective:

Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums.48

Both the table and the quote above were originally published by researches from Google and Berkeley. The table above is especially interesting and shows the top 10 of the most commonly used passwords of the analyzed data. It may (or may not after spending some time online) surprise you how little many users actually care about their data. I know that using unique passwords for every new website and online application can be tough, but as already mentioned multiple times in the course of this book, it’s definitely worth it. That’s so especially if you keep in mind that the number of attempts to steal your data will only increase in the future, as more and more information is stored online.

As a recent example, the DNA testing kit provider Myheritage was hacked, resulting in over 92 million emails and passwords revealed.49 The DNA testing kit is available for $69 on Amazon.50 Considering that your DNA is the most sensitive and valuable data you own, the low price may indicate otherwise. (It is noteworthy at this point that sequencing a whole genome costs around $1000.)51 Although they stated that no genomic data was stolen, I am almost certain that this will be the next big target for hackers. As not only insurance companies could benefit greatly from owing your genomic data, other possibly disastrous effects are yet to be defined in the future. That is only one additional example why you should be very careful with sharing your data in any form. Since data has generally become very valuable, hackers aren’t the only ones trying to collect it.

9.5 Using a VPN

If the whole topic of Internet security is totally new to you, all of this might seem all little bit over the top. But since you are reading this book because you are at least interested in diving into the magical world of cryptocurrencies, security and privacy are some of the most important things to take care of. It doesn’t really matter what a great trader you are, if you lose all your funds due to some security vulnerability.

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different from saying you don’t care about free speech because you have nothing to say.

—E. Snowden

Privacy and anonymity are key factors in maintaining security. It is important for not only those who do something illegal online but for all of us. If you are connected to a Wi-FI, casually browsing the Internet, there might be more than just your eyes reading along. One of the easiest tricks of hackers includes setting up a fake hotspot calling it “McDonalds free wifi” or “Free Internet Hotspot Mainstation XX.” Once you log in, it is very easy for them to get access to your information or data. It is strongly advised to use only secure Wi-Fi and Internet hotspots.

But they may not be the only ones watching. As your data is very valuable, many websites are more than willing to collect or share your information. Besides that, it is interesting to know that every time you use the Internet, your data is shared with your Internet provider. Even if you can’t think of any website you would not like to have shared, they still don’t need to know everything about you. As a simple rule, the less people know about your being involved and invested in crypto, the better. The worst thing you can do is present your holdings or wealth online. Over the years, I have seen many people sharing screenshots of their fortune via Twitter or Telegram. That almost instantly puts a target on their back. Let me ask you a simple question: Would you share a screenshot of your bank account online? I am most certain that the answer is no. There is just no reason to risk being hacked.

There are many ways of increasing your security online, your web browser being one of them. Any newly installed plugin or extra function added to your browser may be a security risk. One of the easiest ways to browse the Internet in a safe way is using the Tor browser. It is available at <https://www.torproject.org/projects/torbrowser.html.en&gt;. The best description of the browser is written on the website:

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

It helps you regain a high level of privacy and security in a quite easy way.

“if you are not using Tor you´re doing it wrong”

—E.S.

Although the quote is related not to crypto specifically rather to privacy in general, it fits the context very well.

Another safety feature you could use (and, yes, using everything discussed in this chapter would be most secure) is creating a sandbox environment. Famous examples are VirtualBox or Wine for macOS and Sandboxie for Windows. To put it simple, you will emulate running another operating system (mostly Windows) on your computer. Installing any software, like new coin wallets or other potentially malicious downloads in this virtual environment, won’t hurt your general system. This can be a huge improvement in security, as you won’t need to set up an extra device just for installing potentially harmful wallets or other downloads.

At this point, you may already be overwhelmed by all these various security improvements. I know that applying all the points described above would lead to a totally different behaviour, ruining the ease of using the internet. Hence, after some time, you will definitely find the most suitable way for yourself. Although I would always encourage to maximize your security level, if you are not going to handle millions, you may stay safe for a very long time, following only the basics.

One really nice addition to the topic of security improvement is the use of a virtual private network (VPN). There a lot of different providers out there. Some of the most recommended ones include NordVPN, ProtonVPN, and Hide my Ass. I would advise you to look for deals or trials online to find the one that suits you best. The monthly fee of between $5 and $10 may seem high, but it’s definitely worth it. A virtual private network will enable you to send and receive data while remaining anonymous and secure.78 One of the basic ideas behind the VPN is to hide your true IP address from the websites you are browsing. This will make it way harder for hackers to identify you as a potential victim worth their hacking efforts. At the same time, your Internet provider won’t be able to collect or share any of your data with anyone. One of the reasons many people around the world are using a VPN is the ability to by-pass geoblocking. Some websites/page or services may be restricted in your home country. Since you are not using your official IP anymore but instead are lending one from you VPN provider, you are simply able to evade the applying restrictions. Since setting up a VPN is pretty simple, you should definitely give it a try.

One thing only a few people think of, but what is actually becoming more and more important, is preventing your mobile devices from getting hijacked. This is especially important, since the usage of mobile and web wallets is increasing constantly. This is not surprising in any form, as everyday usage of crypto is often regarded as some sort of turning point for the sphere. It is, therefore, really important to protect your mobile devices as well as possible to prevent any further harm. The good thing is that it won’t require you to install any additional software or to fundamentally change any of your habits to increase your security one step further this time. As you can see in the picture below, there are some small USB devices available on the market.124

These small USB adaptors get plugged into your normal power cable, and you are free to use your gear the way you normally do. But now, every data transfer over the regular charging cable is blocked. These adaptors, which are quite inexpensive, are sometimes dubbed “the USB condoms” and will make you feel comfortable using public charging spots or someone else`s computers. See the links to learn about a couple of the most popular ones:

PortaPow, <http://portablepowersupplies.co.uk&gt;

SyncStop, <http://syncstop.com&gt;

So far, we’ve learned a lot about keeping our computer and online presence as secure as possible. But besides that, storing your actual funds or more specifically your private keys may be the most important action in crypto.

Before we discuss this in detail, I would like to draw your attention to the fact that someone will be trying to scam you for your money. As hackers aren’t the only ones targeting your funds, it is very important to develop a feeling for potential scam attempts. On the following pages, I will gladly share some recent examples describing the way some individuals learned this lesson the hard way.

9.6 Not getting scammed

Before we dive deeper into this topic, we need to define the term scam in the first place. You will read and hear various opinions, as most people have their very own personal definition. Most commonly, a scam is defined as a (total) loss of funds due to the action of others. But as with most things in life, there is often at least some partial action required by the user itself for the scam to be successful. Hence, the best way to prevent being scammed is being very sensible with your personal data, especially your private keys. Over the recent years, ICOs became one of the main targets of scammers. Many “teams” are trying to collect as many funds possible, without any attempt of developing the promised functions. As already mentioned before, most of the projects will include a lot of buzzwords, a fancy-looking website, or a huge bounty campaign. Many of them won’t even have a whitepaper published, never mind a working product. But having a published whitepaper, doesn’t mean the project is good in any form, as many are nothing more than just words copied and pasted from somewhere else. Sometimes they don’t even hesitate copying the team and advisor sections from other projects to make you believe that they have a broad base of support. Of course, this is done without actually letting those team members know that their names are listed.

It’s a pity that so many bad projects receive a huge amount of funding. You will find a detailed description with major points to look for before investing in an ICO in Chapter four. All these factors described previously can give you an idea about the project and the team. There are many well-funded ICOs where the team just disappears after collecting the funds. Some of the projects issue an Ethereum-based token, trying to create the impression of the actual work being done, while sipping cocktails in the Bahamas.

If you are researching on a specific ICO project or just want to stay updated afterwards, telegram rooms are a good way to go. If you see  one of the admins writing in those rooms, their username will often contain something like: “Name of the Admin… does not PM first”. This originated after some newly created scamming attempt. The underlying concept is to trick potential ICO participants into sending their money to one of scammer´s own addresses instead of the original one from the project. The idea is actually creative, and scammers will message you via private messaging, impersonating one of the admins. Therefore, the scammers will copy the profile picture and text of the respective admin to make you think, that they are real. Good attempts involve registering with nearly the same Telegram name as the original, with only one single character being different. To check whether the one who is messaging is real, click on their personal profile and compare the corresponding profiles (you can find the profile of the real admin in the ICO related telegram room). You will always notice a very small difference in their username, and you can be sure that everything they are telling is a lie.

Since more and more ICOs require you to undergo KYC, there are always people who want to invest but who might not be able to pass the process. Those people are particularly good targets, as they are happy to have an opportunity to invest. Fake teams sometimes offer high level of bonuses or discounts, which should always get you thinking. If something like that happens to you, make a screenshot of the fake profile and send it to the ICO group or one of the admins personally.

Another attempt that took place this year is the Twitter giveaway scam. There are scammers impersonating famous Twitter personalities replying to every post the original person is making. They try to imitate the original profile as well as possible as they did with Telegram. Once again, their names differ by just a single letter, but they try to trick people into sending funds with a 5,000 ETH giveaway. They ask to send any amount of ETH to the proposed address to receive back twice the original amount. Sounds too good to be true? It definitely is. There are basically countless ways they use to trick you into sending them your money. At its peak, many old Twitter accounts actually stopped tweeting because it got out of hand. To prevent people from getting scammed, the following website was created, listing the known attempts:80

Look at the screenshot above! At the time of writing, there may have been already more than 8,000 ETH lost to scammers.81 One way to stay safe on Twitter is by looking for a certain blue badge (a checkmark) to the right of the username, indicating a Twitter-verified account. A scammer cannot have their account verified.

Charlie Lee, a computer scientist known as the creator of Litecoin, is just one well-known victim of impersonation.82 Let’s take a look at two versions of his account—a real one and a fake one.

Here is a real one.

And here is a fake one. Can you spot the red flags?

No blue badge! And some totally random username following the @ symbol! Of course, the problem is that only some Twitter accounts are verified. Hence, the blue badge check may not always be helpful.

You can also try checking whether an Ethereum address has been involved in scamming activities by just googling it. The address may already be linked to some scamming attempts, there may be some helpful comments on websites like <etherscan.io>.

Another important lesson to learn on social media is that you should always be careful with the shared links. Scammers will target you not only via email (by sending you a link to get you to sign in on a fake page) but also by trying to redirect you to their fake websites. Those websites mostly represent fake exchanges that will look almost exactly like the original ones. A good way to avoid any trouble in general is therefore bookmarking important and often used websites. This is especially important for exchanges and web wallets. As always, the best way to prevent being scammed is using everything crypto-related very carefully and with a lot of focus. The whole crypto sphere is quite greed driven. As such, you can be more than sure that scammers will come up with new ways of trying to swindle you.

Here is an example of another “creative” attempt from not so long ago. Imagine someone posting a private key to an Ethereum address, which can be used to access real funds. You will not find any ETH there but will find a high number of tokens worth, say, $50,000. As you are only able to move any ERC20 tokens, by owning a certain amount of ETH on the same address, you won´t be able to transfer the tokens in this scamming attempt, even though you own the “right” private keys. Hence, anyone who wants to access the tokens has to send some of his own ETH first. As a “smart” contract will immediately redirect any amount sent to that address, you will never be able to actually touch the tokens. Quite clever isn’t it?

When it comes to giveaways, you should always keep in mind that real giveaways don’t normally require you to send anything. It is supposed to be a giveaway for you, not from you.

Another new method to scam people emerged with the rise of a new crypto phenomenon, the so-called Airdrops. Airdrops are quite famous these days and need a little more critical evaluation. Some new projects use free tokens to promote their project or ICO in the same way that PayPal did a few years back. To further enhance their marketing, PayPal would give $20 to all those signing up and linking their credit cards. The amount was lowered later, but PayPal ended up spending about US70 million,83 which worked very well.

Even though most crypto-related airdrops are worth only a few bucks, some may turn out to be very profitable. One of the most recent examples involves the project Ontology (ONT). As the project was famous, a lot of people signed up to get whitelisted for their ICO. But there never was any ICO. Instead, every participant that successfully passed the KYC procedure received 1,000 ONT. That is quite a lot of money if you consider the price peaking at around $10 per single ONT. But such positive examples are rare. Sometimes, signing up to an airdrop is just not worth the information you share. The form you need to fill out to be able to claim your reward sometimes contains a lot of sensitive information. Yet your email address alone is very valuable to them, as it helps to identify potential phishing targets. If you’d like to participate in airdrops, I would advise you to recall the safety measures discussed in this chapter—especially, the use of unique email addresses for every purpose.

The good thing here is that if you stay in crypto for a longer time period, you will almost certainly spot the pattern. During my early days in crypto, the mining hype lead to new PoW projects being launched every day. There was a coin for literally everything—Earthcoin, Mooncoin, Alcohoin (yes, that is not a spelling mistake)—to just name a few. This hype was followed by the ICO boom as you may know it. The most recent hype is all about masternodes. With the meteoric rise of DASH, it got nearly impossible to buy the required 1,000 coins for most investors. As owning a masternode would grant you a great passive income, many people searched for alternatives. It didn’t take long for scammers to come up with a new approach.

Now, they basically copy and paste a famous project with only some minor changes made to the name of the icon. Most projects include a high level of premine—enough to allow the creators, to run many masternodes on their own. Some developers even sell the amount required to start a masternode in a public auction. Even though the dev/team tries to give the appearance of the actual work done, they almost certainly develop something else.

People are willing to spend their hard-earned money in the dream of receiving an insanely high return on investment (ROI). Focusing solely on the ROI of a project is a bad idea, and we’ll talk about it next. I chose the following project randomly at the time of writing and took the following screenshots and data from <masternodes.online>, which is often used to track masternodes and for other research purposes.

The list above is sorted by the highest-yielding ROI.257 Besides that, you can find various types of information about the projects, which can help you spot potentially good or bad investments. If you click on one of the project names, the following will open up:

If you carefully go through the screenshots, you may notice a few things. The required 1,000 coins to run a masternode are worth around $60 or around 0.009 BTC at the time of writing. Now let’s have a look at the profit you could make by hosting a single masternode. After only one week, the coins you were rewarded with would be worth around $80 or 0.012 BTC. Hence, one single node worth 0.009 BTC today would lead to around 0.62 BTC per year, resulting in an insanely high ROI of over 7,000 percent. Investing one single Bitcoin today would therefore bring you 60 BTC at the end of the year. Sounds too good to be true? It definitely is. If you look at the number of active nodes, you will see around 350 running. Because of the even reward distribution between nodes, everyone receives the same number of coins worth 0.012 per week. Therefore, coins worth more than 3 BTC are added to the circulation every week. As the market is based on supply and demand, it is fairly unlikely that the price remains the same over a longer period.

Besides the risk you may undergo by downloading a potentially malicious wallet, there is more to focus on. As the screenshots above disclose, the project was only launched nine days ago. You therefore won’t find the project listed on a proper and trustworthy exchange or know the capabilities of the development team. Another interesting fact is the total market cap of the project. In our example, the project is valued at 6 BTC. That is especially interesting if you recall the 3 BTC per week in coins added to the circulation, isn’t it? Even though the 24-hour trading volume is quite high in comparison to the total market cap, you still wouldn’t be able to buy or sell large quantities. That is a major problem, as your coins have a certain value only as long as someone is actually willing to buy them. Otherwise, they are worthless. It is important to know that only one trade on an exchange can artificially create the impression of value. Keeping that in mind, it shouldn’t surprise you that teams often buy up their own coins at the start only to later sell them at a higher price.

To compare, look at the same stats for DASH:

After analyzing the screenshots above, it becomes quite obvious why high-ROI-yielding projects are considered to be a modern way of scamming.

9.7 Keeping your private keys secure

As you only own the coins if you own the corresponding private keys, the following few pages are very important. So, take your time and go through it as carefully as possible.

I would like to start with one more example explaining why staying anonymous is a good first step to protect your funds.

… nine individuals, including/led by marketing team members Sam Sing Fong, Mary Li (李臻/李敏), Xiangdong Yan (闫向东) and Jesse Sun Fei (孙飞) burglarized Synth’s home. They proceeded to hold Synth and his wife against their will for 6 hours, over the course of which they threatened, beat and robbed them. Thanks to wallet security measures, the group was only able to extract 18.88 Bitcoin and 6466 skycoins during the robbery. The gang also attempted and failed to steal the design framework for the skycoin ecosystem.84

The quote above is a statement of the Skycoin team following the rumours about a sudden price drop. The Skycoin project aims to build a true, decentralized network without central authority.85 Synth, the victim mentioned above, started the project many years ago. Now, what are the lessons to be learned from this story?

First, you doubt that everything happened exactly as described above. But how can you be sure? It is always important to stay alert all the time, even if you are reading a book or a reputable article. After the event, many people claimed that the statement above was nothing less than one of the boldest lies in crypto history. That isn’t surprising, as scam accusations against the Skycoin project are quite frequent. But why risk the reputation of the whole project and everyone involved by making up such a crazy lie in the first place?

Hacks happen all the time, and it would be easy to argue that a lot of funds are stolen and dumped on the market. When a statement like this emerges, it is up to you to decide whether it is legitimate. After all, what if it’s a scamming attempt by the team itself? Sadly, I am almost certain that incidents like this will only increase in frequency. Hackers and scams aren’t the only way to lose your funds,94 but at least they are impersonal and don’t involve your family. That’s why, your being involved in crypto should be known to as few people as possible.

Second, the damage could have been a lot worse, without a high level of security measures. Given the fact that everything happened as reported, it proves the point that security precautions are highly important to protect your private keys. I don’t know which features were used exactly, but I will discuss the most common ways to secure your private keys, on the following pages. One of the major inventions that will provide you with a high level of security is hardware wallets. The first one to discuss is Trezor. There are two models available right now both of which you can see below:86

The brand new model—Model T—is displayed on the right. It features a touch screen display and was released not too long ago. The model on the left is the original version called Trezor One. It brought the company a lot of success and was one of the milestones in terms of hardware wallets. They are very easy to use and can store more than 500 coins and tokens.87 Using Trezor really enhances your level of security, even if your computer is infected by malware. You will choose a PIN that you are required to type in every time you use Trezor. The key feature here is that the position of the numbers shown on screen varies every time. Hence, although your PIN remains the same, you will always type in a different combination of numbers.88 It may sound confusing at this stage, but it’s actually pretty easy and grants a high level of security.

Another famous hardware wallet is the Ledger Nano S.90 The company reached an important milestone last year by selling more than one million devices in total.89 The device is very handy and is used all around the globe.

It supports a broad range of different coins, including Bitcoin, ETH, DASH, Ripple and many others.90 Your personal PIN to access the device is directly entered through the device itself, enabling a high level of security.

A third and less popular one is the KeepKey hardware wallet.91

It works similarly with Trezor and Ledger but features a smaller range of coins.

As always, deciding which hardware wallet is right for you depends on your personal preference. In the end, many people will most likely end up with more than one, to match their holdings. No matter which one you are going to pick, the overall security will certainly be boosted. Besides, they have a few things in common that are crucial to understand.

If you receive your wallet, make sure that the wallet is sealed correctly and unopened. Otherwise do NOT use the device. The device will need you to write down your backup phrase of 12–24 words long—a so-called seed. This step is crucial, and you need to make sure, that you write down every single word in the correct order. Do NOT make a virtual copy of the seed on your computer. Just write it down on the sheet delivered with your device. The device will make sure that you write down your seed successfully in the proper order. This seed represents the only way to restore your funds in case your device is stolen, broken, or lost. It is therefore probably the most valuable piece of paper you own. But how does this all work?

The seed will give you access to all the coins and funds stored on the device. The sequence of words can be understood as a simple translation of the actual string, which would be way harder to write down or remember. (Otherwise it may look like this, for example: Lx641caf6fFGB10cf6e3zFG0bcc34ea100ff2a97ac236eyOf8f667705cJT4087f.) If you would like to know more about how that works and how those random words can be really secure, you can read the following insertion.

Mnemonic phrase or seed is a term often used in connection to crypto wallets and represents a number of words, which store all needed information to access a wallet.98 The implementation of mnemonic phrase as way to generate hierarchical deterministic (HD) wallets was proposed as BIP39.96 BIP stands for Bitcoin Improvement Proposal and represents a document to provide information and improvement ideas to the Bitcoin community.97 This can be regarded as the standard way of communication, since there is no central governance or authority. The BIP39 word list consists of 2048 different words, which are used to generate the seeds.95 But why are those 24 words safe to store potentially multiple millions worth of Bitcoin? And how easy is it to actually guess the word-order of your wallet? That can be broken down to the following equation: 204824 = 2.9642775 * 10^79. As you see, the chances are negligibly small that someone is able to resolve your seed and access your funds.

Another important thing to realize is the fact that your PIN is not directly bound to your seed. If you forget your PIN, you will always be able to restore access to your funds as long as you still have access to your seed. You would basically just need to recover your device with your seed and set a new pin. But at the same time, this also means that if someone has access to your seed, they will have access to all the funds on the device. It is therefore very important to secure your seed as well as possible. There are many ways to do it, and I will go through the probably most common ones. One way to even make your seed water/shock/fireproof is to use tools like cryptosteel or Billfodl. See the screenshot below, for example:92

There are only some minor differences between the two tools, and they both utilize the same concept. It can be seen as a way of engraving your seed onto real metal. You will receive a bag full of letters, which you use to build up the string of words, representing your precious key. This can provide you with an extra level of security in case your house burns down or any other major event of this sort happens. Although it adds some extra security, there are some negative points to consider as well. If someone finds the metal device, they may get an impression that it’s more than a basic sheet with random words.

In addition, the seed cannot be encrypted easily. Encryption is something very useful in the process of further securing your seed. One of the most common programs is VeraCrypt. It is free, open source and works on all the important operating systems.93 You can chose from a broad range of options to encrypt your entire hard drives, USB sticks, or partition. To increase your level of security further, I would divide your seed into two or three parts (everything you are comfortable with actually works) before you start the encryption. You will need to set up a password for being able to decrypt the parts later on. You can save them in your password manager. Make sure to use a unique password for every part of your seed. The encryption has different advantages. One of them is that even if a hacker or thief finds your secret place, they won’t be able to access your funds. If you keep the encrypted parts of your seed in different locations, even having some parts of your seed decrypted won’t help any hacker. If you don’t want to encrypt your seed in general, I would still advise you to divide your string of words into two or three parts. Stored in different locations, this will grant you a very high level of security. Even though there is no 100 percent security out there, you can just do your best to enhance it as well as possible.

But how to safely store the coins that are not supported by a hardware wallet? One popular way is to generate an offline backup/cold storage called the paper wallet. Some project may feature an own paper wallet generator, which makes it very easy to use. Take a look at the following Bitcoin paper wallet:100

Quite pretty isn’t it? It contains all the necessary information for further use. Some wallets feature a QR codes like the one above; some have only an address and a corresponding private key. In some cases, you may also find a key presented as a mnemonic seed. Make sure that you use only trusted websites and research them well before using them. Many websites will allow you to generate your paper wallet while being offline. Even though this is definitely a preferred way, some may require you to be online. If so, make sure to use all the safety precautions.

Paper wallets are a good addition to hardware wallets if you plan to hold the coins long term. The conversion of your cold storage paper wallet to a so-called hot wallet (the wallet the you use to spend funds) is very easy. It just requires the private key or seed and can be done in almost no time. But not all projects will offer you a paper wallet generator. Especially new projects will lack an “official” paper wallet generator. So how to safely store coins that are not supported by a hardware wallet or feature a paper wallet generator? This is actually not that hard, and we will go through the necessary steps in detail.

First of all, you will need an old computer that you don’t actually use anymore. An old laptop would be the best fit, since it’s handy and doesn’t need a lot of space. You won’t access the device very often, so it doesn’t have to be very fast.

Second, you have to delete all data, including the old operating system, and reinstall the OS of your choice. The most important part is that you NEVER connect the device to the Internet—not even for installing the new OS, verifying your key, or checking your email “real quick.” Just to make it very clear once again: NEVER, really NEVER connect the device to the Internet. Not even once. For every data transfer, you will use USB sticks. The most paranoid of you will use freshly burned CDs. The USB you use should always be newly formatted on your main computer that should feature every discussed safety measurement (e.g., check every downloaded file via <virustotal.com>, keep the antivirus software up to date, etc.).

Now, copy the downloaded wallet and transfer it to your old laptop. Install the wallet of your choice and start it. As there is no need to synchronize the blockchain for the next step, it will work perfectly without the Internet.

Now, encrypt your wallet with a password.

Next, you will need to check for the receiving addresses. Finding them may differ slightly, but you should be fine following the screenshot below.

Generate a new address by clicking on “new,” and save this address in a text file.

Next, head over to Tools and click on Debug console.

The last step should open up a window looking like this:

Now, you can read out your corresponding private key by typing in the following command:

*dumpprivkey XXXXXXXXXXXXXXXXXX*

XXXXXXX = your newly generated wallet address

If you type in the command with your generated address (watch the space between command and address), you should receive another address in the console field. This is your private key. Copy it and save it in your text file as well. This is literally all you need to do in order to generate a cold wallet by yourself. You can now print it, copy it by hand, or encrypt it. These steps will work with nearly all available wallets and coins.

The following is the command to import a private key:

importprivkey YYYYYYYYYYYYYY

YYYYYYYYY = your private key

It may take a few minutes but should work smoothly. As you import your private key only if you want to use your coins, make sure to have your wallet synched fully for your coins to show up. As this step requires an Internet connection, you can use your regular computer, with every safety precaution followed.

Here is something absolutely crucial. Once a wallet is installed on your device, a file containing your private key—the so-called wallet.dat—is created. The way to access the file varies depending on your operating system.

For Windows:

C: Users/”your name”/AppData/Roaming/”name of your wallet”/wallet.dat

For Mac:

Mac HD/ Users/”your name”/Library/Application Support/”name of your wallet”/wallet.dat

If you are unsure how to find the directory, open your finder icon in the Doc and press:

command + shift + G

You can then just move the file to any folder you like. Use Library to start, for example.

Note: This is the standard location. You may want to change the directory to the one you prefer, during the installation process. The wallet.dat file contains your private key and can therefore be used to restore your wallet. To do so, simply install the wallet again and replace the newly created wallet.dat file with the one you want to recover. As anyone owning this file would have total access and ownership of your funds, you should handle it with care. Always make sure that your laptop is secured by a very strong and unique password and that important files are encrypted. Especially make sure that your wallet is secured by a password, which you should definitely keep somewhere safe.

As you may already have to keep track of dozens of passwords at this stage, you need to make sure that you have a comfortable way of accessing them. If you use a password manager, backup the data from time to time. Never fully rely on one single feature. I personally write down every password on a sheet of paper and save it with all the other important stuff. Keeping a second copy accessible every time in your password manager should work fine in the vast majority of cases.

But what exactly is a safe place to store your wallets and passwords in the first place? When it comes to safety, people are more than creative. Some may rent a deposit box in a bank or store it in grandma’s basement. The very important part is trying to have a backup stored somewhere outside your home. That’s why splitting your seed in distinct parts and encryption is crucial, as it minimizes trust. Knowing that everything is safely stored and that no one beside you will be able to find and access your funds gives you a level of satisfaction needed to focus on other parts of crypto.

Below is the summary of some key points that you can use as a checklist. If you are unsure what the point is all about, just read a few pages back and go through it once again.

Key Points:

  • Never share your private key.
  • You own your funds only as long as you own the private keys.
  • Always use unique login credentials.
  • Enable 2FA everywhere.
  • Keep your computer safe all the time.
  • Don’t ever open suspicious links or click on advertising.
  • Stay anonymous.
  • Use a VPN.
  • Do not connect to open WI-FI or hotspots.
  • Educate yourself about common scams.
  • Be careful with Airdrops.
  • Encrypt your backup.
  • Use cold storage (hardware wallets, paper wallets).
  • Keep your seed/private key secure.
  • Use multiple backups and different geographical locations.